Page 2 of 4
For early botnet pioneers, the possibilities for profit were endless. Fraudsters could build botnets that consisted of hundreds or even thousands of computers and use them for their own spam scams, or sell or rent them to others to send out large waves of spam. In the process of taking over a computer for use in a botnet, a virus could also be instructed to raid people's e-mail address books, search for bank records, credit card or social security numbers, even capture every key stroke that a person typed.
Infected computers harnessed by botnets also serve as hosts for fraud schemes.
When an elderly man using a computer for the first time clicks on the link in a spam e-mail to order the Viagra he is afraid to talk to his doctor about, he will be routed to what looks like an online pharmacy to enter his credit card and personal information. But that Web page is actually a fake planted on a botnet computer that will forward his information to the "fraudster" running the scheme and then shut itself down. Again, the owner of the infected computer is almost always none the wiser.
Three to four years ago, most fraudsters were like Shiva Brent Sharma, 22, who is currently serving a four-year maximum prison sentence in New York. Sharma dabbled in a bit of everything. He bought stolen identity and credit card information off the Web and wired tens of thousands of dollars to himself. He bought a program designed to harvest AOL addresses for $60 in a chatroom and used it to collect 100,000 of them for use in a "phishing" scheme in which he sent out e-mails telling people their billing information had been canceled and asking them to re-enter it. He managed to trick over 100 people into entering their financial data on a bogus AOL Web site he set up, Network World reported.
Sharma was also among the first in the country to be arrested for Internet identity theft crimes, and the police had relatively little difficulty tracking him down because he did a poor job of laundering his ill-gotten gains and wired some of the stolen credit card cash directly to his own accounts.
Small-time Sharmas are still out there making their living on the Web, experts say, but they are being eclipsed by Internet crime families who hire the Sharmas of the world to help them commit their crimes. Today's phishing schemes involve millions of e-mails, often rely on botnets and are increasingly team efforts. And an entire criminal underworld has developed that specializes in laundering money stolen over the Internet.
So where does all that spam come from? Most computer crime experts point to Russian and Eastern European cybergangs. While the infected computers sending out spam are mostly in the United States, China or a number of Asian countries, the viruses that inhabit them can often be traced to Eastern Europe.
Economics plays a big role in that, says Lance Spitzner, founder and president of the nonprofit Honeynet Project, which tracks criminal patterns on the Web.
"Eastern Europe is actually very highly educated, and many of the Eastern European countries, for example, Armenia, have a higher literacy rate than the United States," says Spitzner. "They also historically and culturally have very strong mathematical skills. So this means you've got quite a breeding ground of very strong, technically competent people. At the same time, Eastern Europe's economy is very bad, so this is one of the few ways that people can make money, is to use their skills."
Combine that with practically nonexistent law enforcement for cybercrime and you've got the perfect breeding ground for Internet crime.
"Not only is the potential return on investment so high, but the odds of them being identified and prosecuted and going to jail in their own country are so astronomically low that it is almost stupid for them to pass up this opportunity," says Spitzner.
Because they have a much better chance of getting caught in the United States, most criminal gangs would rather run a spam scam out of a poor or Third World country. But that doesn't mean that IT students here aren't struggling with smaller-scale temptation.
A June survey of 77 Purdue University computer science students using an anonymous questionnaire found that 88 percent of them had engaged in at least one of a list of online activities that could be described as "deviant" and some that could be described as illegal.
Among the activities on the list was guessing or obtaining another person's password, reading or changing someone else's files, writing or using a computer virus, obtaining credit card numbers and using a device to obtain free phone calls.